outbound_smb

Explanation

This Netography Fusion Portal security event is triggered when outbound Windows Networking traffic is detected (including DCE-RPC, Netbios, or SMB).

What to Look For

When well tuned, this event can detect unauthorized Windows Networking activity, which may be indicative of data exfiltration or exploitation of vulnerabilities. Often, networks interact with cloud hosted Active Directory servers. Discards should be crafted for these known, authorized destination addresses so that unauthorized activity can be detected.

Related MITRE ATT&CK Categories

Exfiltration Over Alternative Protocol, Techniques T1048